Users need their own access keys to make programmatic calls to AWS from the AWS Command Line Interface (AWS CLI), Tools for Windows PowerShell, the AWS SDKs, or direct HTTP calls using the APIs for
individual AWS services. To fill this need, you can create, modify, view, or rotate access
keys (access key IDs and secret access keys) for IAM users.

When you create an access key, IAM returns the access key ID and secret access key. You
should save these in a secure location and give them to the user.

Important

To ensure the security of your AWS account, the secret access key is accessible only at
the time you create it. If a secret access key is lost, you must delete the access key for the
associated user and create a new key. For more details, see Retrieving Your Lost or Forgotten Passwords
or Access Keys.

By default, when you create an access key, its status is Active, which means
the user can use the access key for AWS CLI, Tools for Windows PowerShell, and API calls. Each user can have two active
access keys, which is useful when you must rotate the user's access keys. You can disable a
user's access key, which means it can't be used for API calls. You might do this while you're
rotating keys or to revoke API access for a user.

You can delete an access key at any time. However, when you delete an access key, it's gone
forever and cannot be retrieved. (You can always create new keys.)

Choose the name of the desired user, and then choose the Security
Credentials tab.

If needed, expand the Access Keys section and do any of the
following:

To create an access key, choose Create Access Key and then
choose Download Credentials to save the access key ID and secret
access key to a CSV file on your computer. Store the file in a secure location. You
will not have access to the secret access key again after this dialog box closes.
After you have downloaded the CSV file, choose Close.

To disable an active access key, choose Make Inactive.

To reenable an inactive access key, choose Make
Active.

To delete an access key, choose Delete and then choose
Delete to confirm.

To delete an access key

As a security best practice, we recommend that you, an administrator, regularly rotate
(change) the access keys for IAM users in your account. If your users have the necessary
permissions, they can rotate their own access keys. For information about how to give your
users permissions to rotate their own access keys, see Allow Users to Manage Their Own Passwords, Access
Keys, and SSH Keys.

You can also apply a password policy to your account to require that all of your IAM
users periodically rotate their passwords,. You can choose how often they must do so. For more
information, see Setting an Account Password Policy for
IAM Users.

Important

If you regularly use the AWS root account credentials, we recommend that you also
regularly rotate them. The account password policy does not apply to the AWS root account
credentials. IAM users cannot manage credentials for the AWS root account, so you must
use the AWS root account's credentials (not a user's) to change the AWS root account
credentials. Note that we recommend against using the AWS root account for everyday work
in AWS.

The following steps describe the general process for rotating an access key without
interrupting your applications. These steps show the AWS CLI, Tools for Windows PowerShell and AWS API commands for
rotating access keys. You can also perform these tasks using the console; for details, see
Creating, Modifying, and Viewing Access Keys
(AWS Management Console), in the
section above.

While the first access key is still active, create a second access key, which will be
active by default. At this point, the user has two active access keys.

Use only the new access key to confirm that your applications are working. Any
applications and tools that still use the original access key will stop working at this
point because they no longer have access to AWS resources. If you find such an
application or tool, you can switch its state back to Active to re-enable the
first access key. Then return to step 2 and update this application to use the new key.

After you wait some period of time to ensure that all applications and tools have been
updated, you can delete the first access key.